Last week, security researcher Inti De Ceukelaire revealed a shocking hole in Facebook’s Messenger system that allows anyone to read links you privately send your friends. What’s worse, the flaw isn’t a bug, but an intentional feature that Facebook has no plans to fix.
De Ceukelaire was able to find these privately-shared links using the Facebook crawler tool. Indeed, anyone who can make API calls to Facebook’s database can access this info. Even though this seems like a potentially huge privacy breach, your information is probably safe. Most of the people who have access to this data are app developers, and as PC Mag points out, Facebook would probably notice any kind of massive data dump taking place and ban that person’s access to its APIs.
Still, the ease with which De Ceukelaire was able to find users’ private information embedded in URLs is disturbing.
“While you may only share links to funny cat videos with your friends, you should still be worried about this exploit,” he wrote. “Sometimes, sensitive information (personal data, secret keys,…) are included in links without you even noticing.”
Some of the private info he was able to glean: names, pictures, location, language and application data. And when he reported the apparent flaw to Facebook, the site responded by telling him that he had found “publically-documented and intentional behavior.”
You probably didn’t need another reminder, but this is a good one if you did: don’t share your private information anywhere — even in a “private” message — on Facebook.